ebook img

Enterprise Level Security PDF

413 Pages·2016·19.093 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Enterprise Level Security

Information Technology S Enterprise Level i m Enterprise Level Security: Securing Information p Systems in an Uncertain World provides a modern s o SECURITY alternative to the fortress approach to security. The n new approach is more distributed and has no need for passwords or accounts. Global attacks become much more difficult, and losses are localized, should E they occur. The security approach is derived from n SECURING INFORMATION SYSTEMS a set of tenets that form the basic security model requirements. Many t IN AN UNCERTAIN WORLD of the changes in authorization within the enterprise model happen auto- e matically. Identities and claims for access occur during each step of the r computing process. p r i Many of the techniques in this book have been piloted. These techniques s have been proven to be resilient, secure, extensible, and scalable. The op- e erational model of a distributed computer environment defense is currently L being implemented on a broad scale for a particular enterprise. e v The first section of the book comprises seven chapters that cover basics e and philosophy, including discussions on identity, attributes, access and l privilege, cryptography, the cloud, and the network. These chapters con- tain an evolved set of principles and philosophies that were not apparent S at the beginning of the project. E The second section, consisting of chapters eight through twenty-two, contains technical information and details obtained by making painful C mistakes and reworking processes until a workable formulation was de- rived. Topics covered in this section include claims-based authentication, U credentials for access claims, claims creation, invoking an application, cascading authorization, federation, and content access control. This section also covers delegation, the enterprise attribute ecosystem, da- R tabase access, building enterprise software, vulnerability analyses, the enterprise support desk, and network defense. I T Dr. William R. Simpson Y Award-winning cybersecurity architect for K29023 high assurance information technology systems 6000 Broken Sound Parkway, NW Suite 300, Boca Raton, FL 33487 ISBN: 978-1-4987-6445-2 711 Third Avenue 90000 New York, NY 10017 an informa business 2 Park Square, Milton Park www.crcpress.com Abingdon, Oxon OX14 4RN, UK 9 781498 764452 w w w . c r c p r e s s . c o m K29023 cvr mech.indd 1 3/9/16 9:11 AM Enterprise Level SECURITY SECURING INFORMATION SYSTEMS IN AN UNCERTAIN WORLD Dr. William R. Simpson Award-winning cybersecurity architect for high assurance information technology systems Institute for Defense Analyses, Alexandria, Virginia, USA Enterprise Level SECURITY SECURING INFORMATION SYSTEMS IN AN UNCERTAIN WORLD Enterprise Level SECURITY SECURING INFORMATION SYSTEMS IN AN UNCERTAIN WORLD Dr. William R. Simpson Award-winning cybersecurity architect for high assurance information technology systems Institute for Defense Analyses, Alexandria, Virginia, USA Enterprise Level SECURITY SECURING INFORMATION SYSTEMS IN AN UNCERTAIN WORLD Dr. William R. Simpson Award-winning cybersecurity architect for high assurance information technology systems Institute for Defense Analyses, Alexandria, Virginia, USA Cover design by Rebecca Simpson Steele. Cover art: Padlock dissolving, copyright John Lund; 6/11/2012 by license. CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2016 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed on acid-free paper Version Date: 20160217 International Standard Book Number-13: 978-1-4987-6445-2 (Hardback) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit- ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright. com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging‑in‑Publication Data Names: Simpson, William Randolph, 1946- author. Title: Enterprise level security : securing information systems in an uncertain world / author, William R. Simpson. Description: Boca Raton : Taylor & Francis, 2016. | Includes bibliographical references and index. Identifiers: LCCN 2015041818 | ISBN 9781498764452 (alk. paper) Subjects: LCSH: Computer networks--Security measures. | Industries--Security measures. Classification: LCC TK5105.59 .S563 2016 | DDC 005.8--dc23 LC record available at http://lccn.loc.gov/2015041818 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com This book is dedicated to my wife who has put up with many missed engagements, and to my partner Coimbatore Chandersekaran who coached and mentored me through many of the processes described herein. His presence is missed, although felt throughout these pages. Contents List of Figures ...................................................................................................xix List of Tables ..................................................................................................xxiii Foreword ..........................................................................................................xxv Preface ...........................................................................................................xxvii Acknowledgments ..........................................................................................xxix Author .............................................................................................................xxxi 1 Introduction ...........................................................................................1 1.1 Problem Description ..........................................................................1 1.1.1 Success beyond Anticipation ................................................1 1.1.2 But, It Started Long before That … .....................................1 1.1.2.1 A Brief History of the Development of the WWW ......................................................1 1.1.3 Fast-Forward to Today .........................................................2 1.2 What Is Enterprise Level Security? ....................................................4 1.3 Distributed versus Centralized Security .............................................4 1.3.1 Case Study: Boat Design ......................................................4 1.3.2 Case Study Enterprise Information Technology Environment ........................................................................5 1.3.3 Security Aspects ...................................................................5 1.3.3.1 Confidentiality ......................................................6 1.3.3.2 Integrity ................................................................6 1.3.3.3 Availability ............................................................6 1.3.3.4 Authenticity ..........................................................6 1.3.3.5 Nonrepudiation .....................................................6 1.4 Crafting a Security Model .................................................................6 1.4.1 The Assumptions ..................................................................7 1.4.2 Tenets: Digging beneath the Security Aspects ......................7 1.5 Entities and Claims .........................................................................11 1.5.1 Credentialing .....................................................................11 1.6 Robust Assured Information Sharing ..............................................12 1.6.1 Security Requirements .......................................................12 1.6.2 Security Mechanisms .........................................................12 vii viii ◾ Contents 1.6.3 Goals and Assumptions of IA Architecture ........................13 1.6.4 Assumptions .......................................................................15 1.6.5 A Framework for Entities in Distributed Systems ...............17 1.7 Key Concepts ..................................................................................19 1.7.1 ELS-Specific Concepts .......................................................20 1.7.2 Mapping between Tenets and Key Concepts ......................20 1.7.3 Enterprise-Level Derived Requirements .............................20 1.7.4 Mapping between Key Concepts and Derived Requirements .....................................................................22 1.8 Two Steps Forward and One Step Back ...........................................23 1.9 The Approximate Time-Based Crafting ...........................................23 1.10 Summary .........................................................................................28 SeCtion i BASiCS AnD PHiLoSoPHY 2 Identity .................................................................................................31 2.1 Who Are You? .................................................................................31 2.2 Naming ...........................................................................................32 2.3 Identity and Naming: Case Study ...................................................33 2.4 Implications for Information Security ............................................34 2.5 Personas ...........................................................................................35 2.6 Identity Summary ...........................................................................35 3 Attributes ..............................................................................................37 3.1 Facts and Descriptors ......................................................................37 3.2 An Attribute Ecosystem ...................................................................38 3.3 Data Sanitization ............................................................................40 3.3.1 Guarded and Filtered Inputs .............................................40 3.3.2 Guard Administrator Web Interface ...................................41 3.3.3 Integrity in Attribute Stores ...............................................41 3.3.4 Secure Data Acquisition .....................................................41 3.3.5 Integrity at the Source ........................................................41 3.4 Temporal Data ...............................................................................42 3.5 Credential Data ..............................................................................42 3.6 Distributed Stores ...........................................................................44 4 Access and Privilege .............................................................................45 4.1 Access Control .................................................................................45 4.2 Authorization and Access in General ..............................................46 4.3 Access Control List ..........................................................................48 4.3.1 Group Requirements ..........................................................48 4.3.2 Role Requirements .............................................................48 4.3.3 ACRs and ACLs .................................................................48

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.